1 / 29

CJIS Security Policy

CJIS Security Policy. What Do I Need to Know?. What Is The CJIS Security Policy?. Federal mandate defining the minimum standard of security controls required to protect criminal justice information (CJI).

alicia
Télécharger la présentation

CJIS Security Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CJIS Security Policy What Do I Need to Know?

  2. What Is The CJIS Security Policy? • Federal mandate defining the minimum standard of security controls required to protect criminal justice information (CJI). • Policy applies to every individual with access to, or who would operate in support of criminal justice services or information. • Policy also applies to every criminal and • non-criminal justice entity that handles CJI.

  3. Policy Requirements • Policy Area 1 — Information Exchange Agreements • Policy Area 2 — Security Awareness Training • Policy Area 3 — Incident Response • Policy Area 4 — Auditing and Accountability • Policy Area 5 — Access Control • Policy Area 6 — Identification and Authentication • Policy Area 7 — Configuration Management • Policy Area 8 — Media Protection • Policy Area 9 — Physical Protection • Policy Area 10 — Systems and Communications Protection and Information Integrity • Policy Area 11 — Formal Audits • Policy Area 12 — Personnel Security • Policy Area 13 — Mobile Devices

  4. But Wait! There’s more! • Federal Information Security Act (FISMA) • Montana Information Technology Act (MITA) • Montana Operations Manual (MOM) • Information Security Policy (state level) • NIST (federal level) • MCA Law Enforcement Sections 44-2 & 44-5

  5. Misuse of confidential CJI • 45-7-601. Misuse of confidential criminal justice information. (1) A person commits the offense of misuse of confidential criminal justice information if the person is entitled to directly access the criminal justice information network and purposely or knowingly:      (a) accesses the criminal justice information network for personal use or financial gain; or      (b) disseminates information accessed from the criminal justice information network to any person who is not authorized to receive confidential criminal justice information pursuant to 44-5-303.      (2) A person convicted of the offense of misuse of confidential criminal justice information shall be imprisoned in the county jail for a term not to exceed 6 months and be fined an amount not less than $500.      (3) For purposes of this section, the following definitions apply:      (a) "Confidential criminal justice information" has the meaning provided in 44-5-103.      (b) "Criminal justice information network" has the meaning provided in 44-2-301. • History:En. Sec. 1, Ch. 25, L. 2015.

  6. NIST

  7. Who Is Running The Show? • At state level, there is an FBI CJIS Systems Officer. • At the state level, there is a CJIS Systems Agency Information Security Officer. • At the local level, a Terminal Agency Coordinator (TAC) is designated as the point of contact for all CJIS matters.

  8. The FBI Audit Process FBI randomly audits of CJA’s & NCJA’s every couple of years. Initial Contact & Notification of Audit Pre-Audit Questionnaire On-Site Audit Audit Follow-up & Compliance Planning

  9. Why Are We Here Again? The FBI has become more aggressive in their auditing of entities. Audit Scope Creep 2nd & 3rd party entities that handle CJI Public Perception on breaches Risk & Liability Audit Follow-up & Compliance Planning

  10. Policy Requirements • Policy Area 1 — Information Exchange Agreements • Policy Area 2 — Security Awareness Training • Policy Area 3 — Incident Response • Policy Area 4 — Auditing and Accountability • Policy Area 5 — Access Control • Policy Area 6 — Identification and Authentication • Policy Area 7 — Configuration Management • Policy Area 8 — Media Protection • Policy Area 9 — Physical Protection • Policy Area 10 — Systems and Communications Protection and Information Integrity • Policy Area 11 — Formal Audits • Policy Area 12 — Personnel Security • Policy Area 13 — Mobile Devices

  11. 1. Information Exchange Agreements • Information Exchange • Information Handling • State and Federal Agency User Agreements • Criminal Justice Agency User Agreements • Interagency & Management Control Agreements • Private Contractor User Agreements & the CJIS Security Addendum • Agency User Agreements • Monitoring, Review & Delivery of Services

  12. 2. Security Awareness Training All Personnel Rules, responsibilities and required behavior with respect to usage of CJI Implications of non-compliance to rules and regulations Protection of information subject to confidentiality Who to contact in case of an incident and the necessary actions needed to be taken Physical access to spaces and visitor control. There must be security policies in place and reporting that is required to be made in case of  unauthorized access Risks, threats and vulnerabilities associated in the process of handling CJI Matters relating to dissemination and destruction of information Protection of Media Proper Handling of CJI

  13. 2. Security Awareness Training • Personnel With Logical Access • General rules that outline the responsibilities and behavior related to usage of information systems • Protection that needs to be made with respect to Trojans, virus, malicious codes and malware • Use of encryption techniques for transferring sensitive information over the Internet • Specifics related to information security and confidential items, their usage, backup, archiving or destruction after its need is over. • Creation, usage and management of passwords Issues-Mobile & Handheld Devices • Web Usage - monitoring of user activity and prohibited sites Spam • Specifics related to unknown attachments/emails Social Engineering • Physical security- risks related to systems and data Issues related to access control

  14. 3. Security Awareness Training • Personnel with Information Technology Roles – Extra responsibilitiesMeasures taken to protection of network infrastructure • Access control measures • Backup and storage of data and if the approach is centralized or decentralized • Protection of the system and information from Trojans, worms, and viruses including scanning and updating of virus definitions • As part of the configuration management, application and system patches need to be applied • Security Training Records • Records of security awareness training. What specific training was documented. • Documents need to be maintained by a designated person.

  15. 3. Incident Response • Responsibilities of FBI CJIS Division: • Track reported trends and incidents • Monitor resolutions of reported incidents • Acting as chief clearing house for security alerts, intrusion incidents and other security events • Managing and maintain the Computer Security Incident Response Capability (CSIRC) of the CJIS information system. • Disseminate useful and timely bulletins on system vulnerabilities and threats • FBI CJIS should also ensure that additional resources are allotted to  a system that reports an incident.

  16. 3. Incident Response • Responsibilities of CSA ISO: • Identifying the individuals who are responsible for reporting the specific incidents that occur within their area of responsibility • Assigning individuals in each federal, international and state law enforcement organization that would serve as primary point of contact. This point of contact would be interfacing with the FBI CJIS division responsible for handling the incidents and responding to them • Collecting information related to the incidents from individuals or agencies for the purpose of coordinating and sharing them with other organizations that may be  or may not be affected • Developing, maintaining and implementing incident response mechanisms and coordinating the procedures with other organizations irrespective of whether they are affected are not • CSA ISO would also act as a single point of contact for their jurisdictional area to request assistance regarding incident response • CSA ISO also would collect and share all the information related to incident that he would receive from the FBI CJIS division, Department of Justice (DOJ) and other entities that fall into his jurisdiction

  17. 3. Incident Response Management of Information Security Incidents Incident Handling Collection of Evidence Incident Response Training Incident Monitoring

  18. 4. Auditing & Accountability Events to be logged:Successful as well as unsuccessful attempts to use Create, access, change, write or delete permission on a file, user account, directory or any other system resource access permission on a file, user account, directory or any other system resource Successful and failed attempts to change account passwordsSuccessful as well as unsuccessful actions by privileged accountsSuccessful as well as failed attempts in logging onto a systemSuccessful and failed attempts by users to access, modify, destroy audit log files Content:The following content must be included with every audited event Date of the event and its time of occurrence Information about the component of the information system (either hardware or software) where the event occurred Type of the event occurred Subject/user identity Outcome of the event- either success or failure

  19. 4. Auditing & Accountability Response to Audit Processing Failures Time Stamps Protection of Audit Information Audit Record Retention Logging NCIC and III Transactions

  20. 5. Access Control Account Management Access Enforcement Access Control Mechanisms Access Control Criteria Least Privilege Unsuccessful Login Attempts System Access Control System Use Notification Session Lock Remote Access Personally Owned Info Systems (BYOD) Publicly Owned Info Systems

  21. 6. Identification and Authentication • Identification Policy & Procedures • Use of ORI in Transactions and Information Exchanges • Authentication Policy & Procedures • Standard Authenticators • Personal Identification Number (PIN) • Advanced Authentication • Advanced Authentication Policy & Rationale • Identifier and Authenticator Management • Identifier Management • Authenticator Management • Assertions

  22. 7. Configuration Management • Network Diagrams • The logical pattern of all the components of the system such as routers, firewalls, encryption devices, hubs, switches, computer workstations and servers should be illustrated. However, the individual clients (workstations) needn’t be shown and a number of such workstations can be mentioned. • All the circuits, communication paths and other components of the system that are used for interconnecting the agency owned systems and passing through all the interconnected system to the end-point of the agency system. • The name of the agency and date (including day, month) and year when the drawing was created or was updated. • Clear mention of “For Official Use Only” (FUOU) markings • Emergency/IT Contact Name & Number • Physical Address of Location • Security of Configuration Documentation • Access Restrictions for Changes • Least Functionality

  23. 8. Media Protection Media Storage & Access Physical Media in Transit Electronic Media Sanitization & Disposal Disposal of Physical Media

  24. 9. Physical Protection Physically Secure Location Security Perimeter Physical Access Control Access Control for Transmission Medium Access Control for Display Medium Monitoring Physical Access Visitor Control Delivery & Removal Controlled Area

  25. 10.Systems and Communications Protection and Information Integrity • Information Flow Enforcement • Boundary Protection • Encryption • Intrusion Detection Tools & Techniques • VoiP • Cloud Computing • Fax Transmission of CJI • Partitioning & Virtualization • System and Information Integrity Policy and Procedures • Patch Management • Malicious Code Protection • Spam & Spyware Protection • Security Alerts & Advisories • Information Input Restrictions

  26. 11. Formal Audits • Audits by the FBI CJIS Division • Triennial Compliance Audits by the FBI CJIS Division • Triennial Security Audits by the FBI CJIS Division • Audits by the CJIS Systems Agency (CSA) • Special Security Inquiries and Audits

  27. 12. Personnel Security • CJIS Compliance Personnel Security Policy and Procedures • Minimum Screening Requirements for Personnel Needing Access to CJI: • Personnel Screening for Contractors & Vendors • Personnel Termination • Personnel Transfer • Personnel Sanctions

  28. 13. Mobile Devices Wireless Communications Technologies 802.11 Wireless Protocols Cellular Bluetooth MDM Wireless Device Risk Mitiations System Integrity Patching/Updates Malicous Code Protection Physical Protetion Personal Firewall Incident Response Auditing & Accountability Access Control Wireless Hotspot Activity Idnetification & Authentication Device Certificates

  29. Dawn Temple Agency Information Security Officer MT Dept. of Justice | Information Technology Service Division Call: 406.444.2412 Cell: 406.671.4590 Chat: datemple@mt.gov Stop by:  http://doj.mt.gov Follow:  indigogirl@MTDOJSecurity CONTACT INFO

More Related